A critical vulnerability in sudo allows you to gain root privileges

The Qualys security researchers have identified a critical vulnerability (CVE-2021-3156) in sudo utility, which is designed to organize command execution on behalf of other users.

Vulnerability allows unauthenticated access with root privileges. The problem can be used by any user, regardless of the presence in the system groups and the presence of an entry in the / etc / sudoers file.

The attack does not require entering the user's password, that is, the vulnerability can be used by an external person to elevate privileges on the system after the vulnerability has been compromised in a non-privileged process (including those started with the user "nobody").

To search for a vulnerability on your system, simply run the command "sudoedit -s /" and the vulnerability is present if an error message starting with "sudoedit:" is displayed.

About vulnerability

The vulnerability has appeared since July 2011 and is caused by a buffer overflow in handling line escape characters in parameters intended to execute commands in shell mode. The shell mode is enabled by specifying the "-i" or "-s" arguments and causes the command to be executed not directly, but through an additional shell call with the "-c" flag ("sh -c command »).

The bottom line is that when the sudo utility is run normally, it escapes the special characters by specifying the "-i" and "-s" options, but when the sudoedit utility is started, the parameters are not escaped, since parse_args ( ) The function sets the environment variable MODE_EDIT instead of MODE_SHELL and does not reset the value of "valid_flags".

At the same time, unescaped character transmission creates conditions for another error to appear in the controller, which removes the escape characters before checking the sudoer rules.

The handler incorrectly parses the presence of a backslash character without escaping at the end of the line, it considers that this backslash escapes one more character and continues to read data beyond the line boundary, copying it to the "user_args" buffer and overwriting memory areas outside the buffer.

And it is mentioned that when trying to manipulate the values ​​in the sudoedit command line, the attacker can achieve the superposition of a rewritable queue in the data that affects the subsequent course of the work.

In addition to creating an exploit it simplifies the fact that the attacker has complete control over the size of the user_args buffer, which corresponds to the size of all arguments passed, and also controls the size and content of data written outside of the buffer using environment variables.

Qualys security researchers managed to prepare three exploits, whose work is based on rewriting the content of the sudo_hook_entry, service_user and def_timestampdir structures:

  • By aborting sudo_hook_entry a binary named "SYSTEMD_BYPASS_USERDB" could be run as root.
  • Overriding service_user managed to run arbitrary code as root.
  • By overriding def_timestampdir, it was possible to flush the contents of the sudo stack, including environment variables, into the / etc / passwd file, and achieve the replacement of the user with root privileges.

Los investigadores have shown that exploits work to get full root privileges on Ubuntu 20.04, Debian 10 and Fedora 33.

Vulnerability can be exploited on other operating systems and distributions, but the researchers' verification was limited to Ubuntu, Debian, and Fedora, plus it is mentioned that all sudo versions 1.8.2 to 1.8.31p2 and 1.9.0 to 1.9.5p1 in default settings are affected. Suggested solution in sudo 1.9.5p2.

Los investigadores have notified developers in advance distributors that have already released package updates in a coordinated way: Debian, RHEL, Fedor, Ubuntu, SUSE / openSUSE, Arch Linux, Slackware, Gentoo and FreeBSD.

Finally if you are interested in knowing more about it about the vulnerability, you can check the details In the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.